[OSM-dev] User authentication/Single sign on

Sat Nov 29 16:21:02 GMT 2008

On 29/11/2008 14:22, Rob wrote:
> maybe openid is something usefull to support ?

I did an openID implementation recently, partly as an experiment and 
partly because the login module was going to be replaceable, so I 
thought it might be quicker (I was wrong). I did both ends in fact 
because one thing I wanted to to was to make logins already established 
on one web site which I had control over (e.g. like OSM) authenticate 
users on another new partner site (though, of course, you could use any 
other openID provider you wanted). I used existing libraries of course - 
I didn't implement my own.

My experience was

(a) that it worked,

(b) that it was incredibly slow. It has to bounce back and forth between 
two, sometimes three, different web sites several times and do some 
amazingly complicated maths on the way. It was especially slow the first 
time someone logs on (after which it has some stuff cached, but isn't a 
very nice first impression)

(c) I ended up still having to do an email validation by sending a token 
to be returned, in order that I could communicate with them. The 
provider I set up was able to send a validated email address along with 
authenticating the identity, but I failed to get Yahoo or Verisign 
(openID providers) to give me email addresses even when I had turned on 
the option to say I was willing to have these transmitted (which not 
everyone would necessarily do). Email2ID can work as an intermediary so 
you can use an email address to log in, and that could do validation, 
but the point of openid is you can use the provider of your choice. 
Email2ID was unusably slow in its email turn round times.

(d) It is widely asserted on discussions about openID that end users are 
confused about using a URL as an identity. I think I'd agree in general 
but in my case, and in OSM's, we're dealing with a reasonably 
technically literate user base.

I think I'm going to leave the openID login on my site but allow them to 
specify a password alongside the identity so that once they've verified 
the identity once with the third party, they can log in directly to my 
site without the openID overhead.

OpenID is a nice idea, but the advantage of a cross site login is lost 
in the overhead of using it in my experience.

The biggest criticism of openID is the vulnerability of users to 
identity theft: a user can be phished by an unscrupulous site into 
entering their login details at a site which looks like their openID 
provider but isn't, and therefore lose their password - which of course 
gives the intruder access to not one but a wealth of sites used by the 
victim.

That is probably not too big a deal if the sites you log into merely 
need to know who you are in order to identify what user does what, as in 
OSM, but I would be wary about using it in any financial situations or 
for email accounts and that kind of thing.

So on balance I think I'd say don't bother - just re-register with the 
same name and password at the partner site.

David